Data Security: UT Gas Pumps Carry Card Skimmers

One of the difficulties I have face when speaking to people about the need for better data security is denial, "because we're too small, it won't happen to us." "It" being a data breach. In other words, we're too small to be targeted (usually followed by the proclamation, "that kind of stuff only happens at the movies, anyway.")

With such attitudes, it's always a little challenging to convince people that they should be using full disk encryption for securing their sensitive data on their laptops. But, as the following story shows, life imitates art.

Fingernail-sized Device Attached to Gas Pumps To Steal Data

Criminals attached credit-card skimming devices inside gas pumps across Utah, according to darkreading.com. These devices were Bluetooth-enabled, meaning data could be collected from a distance, and was "the size of a cellular phone SIM card."

If you're not aware, because you've been using, say, Verizon as you cellphone provider, a SIM card is about the size of a dime. Put a sticker over it--say, a warning message: "Please don't remove"--and you probably wouldn't. I mean, it's electronic, it's attached to the gas pump's internals...it's probably a doohickey of some sort; removing it might break the pump, or perhaps transport you to Middle Earth...

Anyway, this way of pilfering data is not as uncommon as it appears: apparently, similar situations have cropped up across Europe, and California had its own situation. The case in Utah involved some 180 pumps. It's believed that the devices were in place for two months. They were removed in January.

It Only Happens In Movies?

The thought that someone would go around not only installing stuff inside gas pumps (how do you even do this without the employees noticing?), but would take the time to buy 180 doodads, configure them, and install them (again, 180 times)...well, it's unheard of, right?

The above sounds like something that would only happen in the movies (maybe it can be the script to Ocean's 14: Clooney & Co. Hits Bottom). But no, it's being done by some real criminal organization (in Utah, of all places).

And, the gas stations are not being targeted because they've got money, or happen to be big business: my guess is that they've been targeted regardless of whether it's a franchisee or a corporate-owned one, whether the location is profitable or not (granted, you usually don't have too many of the latter when it comes to gas stations).

What are the criminals after? They saw an opportunity to make a buck (illegally) and took it. Just because it doesn't happen often enough doesn't mean it doesn't happen, nor that it won't happen. Credit card skimming has been around for a long time, and this latest one is just an advanced twist on what used to happen at ATM machines with skimmers that were much, much bigger in size.

Likewise with laptops and other data storage devices. People have this general feeling that their laptops will not be targeted for the data in them because they're not rich; or perhaps they do have money but they're not famous enough, so why would they be targeted; or whatever. The reasons are myriad.

I've even had a discussion with a person who never stores any sensitive info on a particular laptop, but does use it for on-line banking. If the laptop gets stolen...well, so what? Passwords are not stored, so it doesn't matter.

Here's one scenario I can think of: thief takes a look at the computer and notices the guy does on-line banking. He installs a keystroke logger and returns the laptop. Owner checks his balance on-line using compromised computer. On-line banking compromised.

What are the chances of this happening? What are the chances your credit card number got compromised at a gas pump on your road trip to Vegas?

Now, if the laptop in my scenario had been protected with disk encryption, there would have been no way of knowing what the laptop contained, so any harm real or imagined would have been prevented.

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading
provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing
support of the AlertBoot disk encryption managed service.
Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts
University in Medford, Massachusetts, U.S.A.